Solved "Encrypted-Split-No-Strings-DB" - Security Challenge Solved (1 Viewer)

FrankRuperto

Member
Local time
Today, 06:15
Joined
Mar 6, 2021
Messages
182
Certainly this is far from being true. Posting something in public does not make it public property. That is an oversimplification of the truth.

Regardless, the program terms state "
  • represent and warrant that your Submission is your own work, that you haven't used information owned by another person or entity, and that you have the legal right to provide the Submission to Microsoft."
There are a number of civil penalties allowed for, for persons who deliberately break those (among others) rules.
In the specific case of @isladogs "Security Challenge", it actually becomes public domain because he publicly posted his demo database to challenge anyone to break into it. If someone were to reverse engineer his encrypted accde frontend demo, expose the vba code, or any other aspect of his demo, and publish it, isladogs would not legally prevail if he claimed infringement.

https://www.bradley.com/insights/pu...national-copyright-protection-how-does-it-w__
 

Isaac

Lifelong Learner
Local time
Today, 03:15
Joined
Mar 14, 2017
Messages
8,738
In the specific case of @isladogs "Security Challenge", it actually becomes public domain because he publicly posted his demo database to challenge anyone to break into it. If someone were to reverse engineer his encrypted accde frontend demo, expose the vba code, or any other aspect of his demo, and publish it, isladogs would not legally prevail if he claimed infringement.

https://www.bradley.com/insights/pu...national-copyright-protection-how-does-it-w__
Explain to Microsoft that you submitted another person's database without their permission, let me know how it goes :)

Your problem would be with the Microsoft Terms of Service that you agreed to. Nothing to do with copyright protection.
 

FrankRuperto

Member
Local time
Today, 06:15
Joined
Mar 6, 2021
Messages
182
Explain to Microsoft that you submitted another person's database without their permission, let me know how it goes :)

Your problem would be with the Microsoft Terms of Service that you agreed to. Nothing to do with copyright protection.
The MS Bounty Program was made aware of @isladogs Security Challenge. I provided them the link and screenshots of all his webpages related to the demo challenge. If you publicly challenge anyone to break into your software and voluntarily provide said software for that purpose, you relinquish your expectations of privacy, unless you require a non-disclosure agreement as a condition for downloading the software. In the case of isladogs demo challenge, he did not require an NDA. Case dismissed.
 

FrankRuperto

Member
Local time
Today, 06:15
Joined
Mar 6, 2021
Messages
182
And, Frank, for what it is worth, I helped maintain the U.S.Navy's BUMED personnel application for their Medical Scholarships program...
BTW, I was a military brat, born on an American Air Force Base near Madrid, Spain and then became a squid in the 7th Fleet as a YN stationed in Yokosuka, Japan.
As the French would say, chacun a son gut.
Agreed, to each his own. Never doubt the courage of the French, they discovered that snails are edible :)
 
Last edited:

NauticalGent

Ignore List Poster Boy
Local time
Today, 06:15
Joined
Apr 27, 2015
Messages
6,280
BTW, I was a military brat, born in an American Air Force Base near Madrid, Spain and then became a squid in the 7th Fleet as a YN stationed in Yokosuka, Japan.
My first duty station was at the AIMD in Atsugi Japan. I was an AK and I was there from 84 to 85. Small world
 

arnelgp

..forever waiting... waiting for jellybean!
Local time
Today, 18:15
Joined
May 7, 2009
Messages
19,169
Certainly this is far from being true. Posting something in public does not make it public property. That is an oversimplification of the truth.
there was a Case in Court here.
the Accused complains that the evidence (images) were taken from his Facebook posts.
the Court ruled out this and said whatever you "shared" in public, becomes public property.

if you do not want to show it to public, Hide it to yourself and take it to your grave.
 

FrankRuperto

Member
Local time
Today, 06:15
Joined
Mar 6, 2021
Messages
182
@isladogs - Since you're speaking about your Access JSON tool at DevCon Vienna has made you famous, I challenge you to speak about your Encrypted Split No Strings public demo at another Access event. That certainly has made you famous.
 

isladogs

MVP / VIP
Local time
Today, 10:15
Joined
Jan 14, 2017
Messages
18,186
No problem.
In the meantime, how are you getting on with the FrankTheTank challenge?
I left a 'back door' especially to make it easy for you to solve...but you've been very quiet with regard to that example
 

FrankRuperto

Member
Local time
Today, 06:15
Joined
Mar 6, 2021
Messages
182
@
No problem.
In the meantime, how are you getting on with the FrankTheTank challenge?
I left a 'back door' especially to make it easy for you to solve...but you've been very quiet with regard to that example
I haven't touched it, rather I emailed Wayne Phillips and Phillipp Stiefel to look into it. Might as well let the experts provide feedback on your latest version.
 

isladogs

MVP / VIP
Local time
Today, 10:15
Joined
Jan 14, 2017
Messages
18,186
Ha! In that case, I should have removed the back door. That part is easily solved!
 
Last edited:

FrankRuperto

Member
Local time
Today, 06:15
Joined
Mar 6, 2021
Messages
182
Ha! In that case, I should have removed the back door. That part is easily solved!
Phillipp S. will probably be looking at your disconnected ADO Recordset setup among other aspects, and Wayne, well everything about it.
I did not see any NDA requirements for FrankTheTank, you should protect your work, should the accde be reverse engineered.
 
Last edited:

isladogs

MVP / VIP
Local time
Today, 10:15
Joined
Jan 14, 2017
Messages
18,186
One day you will perhaps learn the basic etiquette amongst Access developers. Ask first rather than make assumptions.
However it was, as stated, a work in progress and has since been modified further. The actual data is entirely fictitious.

Philipp and I have shared several security challenges and he has presented earlier versions of my work at various Access developers conferences having sought my approval first.
Wayne is of course capable of reverse engineering any Access ACCDE. He doesn't use VBA to do so. He also has nothing to prove.

Both of them will have no problem with one part of the challenge where I deliberately left a back door.
Before posting here I sent it to another expert who solved that part with ease but not the rest of the challenge.

You still don't seem to accept the point I make in all my security articles and keep restating.
No Access database (or any other database such as SQL Server) can ever be made 100% secure.
However, it can be made secure enough such that the time and effort needed for a hacker to gain access to the data is far greater than the value of that data itself.
Just like a burglar, a hacker will want to use their time to maximum benefit. If the result isn't quickly and easily obtained, they will go elsewhere...unless the data is very valuable.
And it is that valuable, then it shouldn't be stored in Access.
 
Last edited:

FrankRuperto

Member
Local time
Today, 06:15
Joined
Mar 6, 2021
Messages
182
Just like a burglar, a hacker will want to use their time to maximum benefit. If the result isn't quickly and easily obtained, they will go elsewhere...unless the data is very valuable.
And it is that valuable, then it shouldn't be stored in Access.
Well, as you and several others already know, I was able to quickly break into your accde with the wide array of tools available on the web and able to export data to Excel via your test form, obtain your RC4 cipher key, etc. etc. So easy even a caveman can do it. That's such an uneasy feeling when your users have thousand of customer records to protect, and who was it that supplied the software to store their information? I suggest you take a serious look at Wayne's new vba-compatible compiler. Most of our new business has been migrating Access apps to more secure web solutions. Its the way of the future.
 

isladogs

MVP / VIP
Local time
Today, 10:15
Joined
Jan 14, 2017
Messages
18,186
Correction
After many hours of effort and the help of a $99 hacking utility that you purchased, you were able to partly hack my example database.
You were able to obtain my RC4 key due to a mistake on my part which I've since corrected.
However, you were unable to use that to decrypt the data.
The rest of your repeated claims have been either false or exaggerated from the start as you and I both know.

Nevertheless if you really were a skilled hacker with endless time on your hands, you could have achieved all that you claimed.
I knew exactly how that could be done from the start.

But you didn't....as you and I both know. End of.
 

FrankRuperto

Member
Local time
Today, 06:15
Joined
Mar 6, 2021
Messages
182
Correction
After many hours of effort and the help of a $99 hacking utility that you purchased, you were able to partly hack my example database.
You were able to obtain my RC4 key due to a mistake on my part which I've since corrected.
However, you were unable to use that to decrypt the data.
The rest of your repeated claims have been either false or exaggerated from the start as you and I both know.

Nevertheless if you really were a skilled hacker with endless time on your hands, you could have achieved all that you claimed.
I knew exactly how that could be done from the start.

But you didn't....as you and I both know. End of.
I am not a skilled hacker. There was no need to further hack your demo, as I was able to easily change the db properties of your accde and export data via your form. Most users would frown if their application were broken into like that. I am happy with the $99 forensics tool I purchased. It does so much more than just changing db properties. It's one of the best made tools for Access I have come across. You yourself said that. Enough of this rhetoric, I proved my point. Let the Access gurus beat up on your new version. I have bigger fish to fry.
 
Last edited:

Users who are viewing this thread

Top Bottom